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TECHNICAL FIELD OF INVENTION 

The present invention relates to software and hardware implementation of elliptic curve 
cryptographic systems, in particular, and systems that require computation of calculations 
involving a finite number of arbitrary field operations within a finite field, in general. 

BACKGROUND OF THE INVENTION 

In the modern information-based society, the need for global computer and network 
security is becoming increasingly urgent. Cryptographic systems are fiandamental tools used to 
build systems that ensure privacy, trust, and access control in such diverse areas as electronic 
commerce, corporate security, digital distribution of intellectual property, and national security, 
among others. 

"Public-key" cryptographic systems, in turn, provide essential capabilities needed in 
systems requiring secure exchange of information between entities (people or computer systems) 
that may have never exchanged data with one another before. Most modern information systems, 
including the Internet, fit this description. As an example, while a consumer may have never had 
any contacts with a particular on-line vendor, he or she should be able to purchase an item from 
that vendor in a secure manner. Public-key cryptosystems enable such purchases through 
providing capabilities such as encryption, decryption, digital signatures, and signature verification. 
In public-key cryptography, an entity interested in receiving secure messages from others 
publishes his or her "public key." Others use this public-key to encrypt messages they send to the 
entity These messages can be decrypted only through the use of a "private key" which is known 
only to the entity. The entity can also use this private key to digitally "sign" a piece of data. 
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Others, in turn, can use the pubhc key to verify the signature and ascertain that the data was 

indeed signed by the signing entity. 

The security of a pubHc-key cryptosystem depends on how difficult it is to derive a private 
key from its associated, known public key. The more complex it is to mathematically derive the 
private key, the more time it takes a computer to "break" a public key by "guessing" its 
corresponding private key. Today, the most commonly used public-key cryptography system is 
the RSA public-key cryptosystem. The relationship between RSA's public and private keys is 
governed by the mathematics of factorization of large composite integers. RSA public and private 
keys are large integers represented as a binary bit pattern. The longer a key, the harder it is and 
the longer it takes a computer to break it by deriving its private key. For example, modem 
advances in factorization algorithms and distributed computing have made breaking 400-bit RSA 
keys possible. Breaking an RSA key of length 1024 or 2048 bits, however, is thought to be 
virtually impossible given the computing resources available today To retain an acceptable level 
of security, modern systems have been using longer RSA keys. Since performing public-key 
cryptography using longer keys requires more computing resources, it is economically ideal to use 
an alternative public-key cryptosystem that provides the same level of security with shorter keys. 

Over the last decade. Elliptic Curve Cryptography ("ECC") has emerged as one possible 
alternative for an effective cryptosystem. ECC offers the same level of security as RSA with keys 
that are one-sixth the length of RSA keys. Until now, however, existing software implementations 
of ECC have been too inefficient to be commercially viable. In order to be commercially viable, 
ECC needs to allow the same functionality as RSA at comparable speeds, as well as lower costs 
of implementation in hardware and software. Efficient ECC will enable implementation of many 
envisioned modern systems that would otherwise be economically infeasible. As such, much 
research has been focused on achieving efficient ECC in the academia and industry. The most 
common approach to achieving efficient ECC is briefly described below. 
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To perform public-key cryptography, ECC methods take advantage of specific features of 

mathematical "groups" called "elliptic curves." An elliptic curve is related to and "constructed 
over" a mathematical "field." Any finite field can be chosen to construct an elliptic curve, but the 
exact choice of the field significantly affects the properties of the elliptic curve and the efficiency 
of computer implementations that represent the "operations" defined within that elliptic curve. 
One of the most computationally intense operations used in all ECC implementations is known as 
"elliptic curve point multiplication." Point muhiplication requires the computation ofeP, where P 
is a "point" in the elliptic curve and e is a positive integer. This operation is central to many 
elliptic curve cryptography functions, including encryption, decryption, random number 
generation, key-exchange, digital signing, and signature verification. 

Over the last decade, a debate has been carried on in the cryptography community over 
which categories of fields provide the best choices for use with ECC. Two broad categories of 
fields, called GF(p) and GF(2^) have been chosen by the Institute of Electrical and Electronics 
Engineers (IEEE) as international standards for Elliptic Curve Cryptography. While most 
academic and commercial research today is concentrated on implementing ECC over either GF(p) 
or GF(2^), the exact advantages or disadvantages of each choice with respect to cryptography is 
not clearly understood at this point. Furthermore, both GF(p) and GF(2^) encompass countless 
particular individual member fields within them. Each individual member field has its own 
properties that affect the computational characteristics of an ECC implementation. Furthermore, 
given a particular individual member field within GF(p) or GF(2^). numerous elliptic "curves" can 
be constructed over such field. The choice of the curve, too, affects the computational 
characteristics of the resulting ECC implementation. 

Prior attempts for creating efficient ECC implementations have usually been based on 
finding either specific individual member fields in GF(2^) or GF(p) or specific curves defined over 
such individual member fields which possess "special" mathematical or computational properties. 
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These special properties would then be exploited to optimize ECC computations. This approach 

does not attempt to achieve efficient ECC across all mathematical fields. Rather, it concentrates 
on carefully choosing a particular field so that a specific mathematical or computational technique 
can be deployed to achieve efficient ECC computations. 

An example of this is the proposal by Agnew, et al to utilize a method called "Normal 
Basis" to achieve fast ECC in particular fields in GF(2^). While, most academic and industry 
research has focused on using an alternate method known as "Polynomial Basis" for fields in 
GF(2^), the use of Normal Basis in six particular fields within GF(2^) has allowed 
commercialization of a particular implementation of ECC. One disadvantage of this approach is 
that key lengths are limited to the six values allowed by those particular fields. 

MATHEMATICAL BACKGROUND OF THE INVENTION 

This Section presents a list of some of the mathematical terms that are used in this 
document. Some key concepts that can be useful in following the methodology of the invention 
are also briefly described in this Section. The descriptions in this Section are not meant to be 
mathematically precise or rigorous. 

Sets 

A "set" is any collection of objects, including mathematical and physical objects. Often, a 
set is represented in print by enclosing a comma-separated list of the objects that make up the set 
within the curly brackets, "{" and "}". For example, let F represent the set of all non-negative 
integers smaller than 7. That set can be written asF= (0, 1, 2, 3, 4, 5, 6}. An object that belongs 
to a set is a "member" or "element" of the set. In another example, F denotes the set of all 
polynomials of order 4, and p(x) represents the specific polynomial x"^ + x" - x + 1 . Since p(x) is a 
polynomial of order 4, then pfxj is an element of A'. In mathematical shorthand, p/x; g F^ where 
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the symbol "e" is commonly read as "belongs to" or 'Ms a member of." A particular set S is a 

"subset" of another set F if every element of the set S is also an element of the set F. This is 
denoted by the shorthand notation SczF. For instance {5, 1, 3} c {0, 1, 2, 3, 4, 5, 6}. The "cz" 
symbol is read as "is a subset of" Every set is a subset of itself Given any set S, then S <= S. 

Mappings 

A "mapping" is a relationship that associates each member of a set with a particular 
member of another set. For instance, Tcan be defined as the relationship that "maps" each 
member of the set of all human beings to the integer that represents that person's age. If Tom is 
32 years old, then Tf Tom j = 32 is written to denote the relationship that 7' establishes between 
the integer 32 and the human being Tom. 32 is said to be the "image" of Tom "under" the 
mapping T. 

In another example, let /? be a prime number, n denote any non-negative integer, and r 
denote the integer remainder which results when n is divided by p. A mathematical shonhand for 
this is r = w mod p. For instance, if/? = 7 and n = 15, then r ^ 15 mod 7^1, which is the 
remainder of 15 divided by 7, since 15^2-7' LA mapping 7 may be constructed between the 
set of all non-negative integers A^= {0, 1, 2, 3, ... } and the set /? = {0, 1, 2, 3,4, 5, 6, 7, 8} in 
the following manner: given that p = 7 and given any non-negative integer n ^ N, let T(fi) = r = n 
mod p. Thus, T(37) ^ r ^ 37 mod 7^2. Note that regardless of what value n takes, T(n) is an 
integer less than 7. In other words, given any «e A^, then T(n) e R. By convention, Tis said to 
map the set A/^ "into" the set R. This is denoted in shorthand as T: N -^R, which is read, "Tis a 
mapping from the set into the set is referred to as the "domain" of the mapping T, while 

R is said to be the "range" of the mapping 7* 

The "image" of the set Asunder the mapping 7' is the unique subset of R where every 
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element is an image of at least one element of N. In other words, if /^denotes the image of 

under '/; then, given any element >^ g F, there exists at least one element x e M such that T(x) = 
y. Since the remainder of the division of any positive integer by 7 is one of the numbers from 0 to 
6, the image of Asunder Tin the above example is the setF= {0, 1, 2, 3, 4, 5, 6}. Since Fez/? 
(recall that /? - {0, 1, 2, 3, 4, 5, 6, 7, 8}), and no element of is mapped to any element of/? 
outside of F, then T is also a mappmg from N into F. In other words, T: N ~> F. Since every 
member of Fis an image of some element of Asunder F, then 7 is said to map A^"onto" F. 
Sometimes, the word "transformation" is used to refer to a mapping. 



Set Operations 

An "ordered pair" is a mathematical notion that references pairs of objects under 
circumstances where one needs to keep track of which object is the "first" element of the pair and 
which object is the "second" element of the pair. For instance, the set of all pairs of husbands and 
wives is a set of ordered pairs, whose members can be represented by the notation (x, y), where x 
is an element of the set of all husbands, and is an element of the set of all wives. Let and 7 be 
any arbitrary sets. The "cross product" oiX and Y is the set of all ordered pairs whose first 
elements come from X and whose second elements come firom Y. In mathematical parlance, the 
cross product of Jifand Fis written as x Kand is defined by the set of all ordered pairs (x, y), 
wherex e X. zndy s Y. As an example, let^= {0,1} and 7= {0,1,2}, thenXxy= {(0, 0), (0, 
1),(0, 2),(1,0),(1, 1X(1,2)} 

Given any set S, then a mapping from S xS into S can be referred to as a "binary set 
operation" defined within 5 (the word binary underscores the fact that each element of the 
domain of the mapping is an ordered pan.) For instance, let F= {0, I, 2, 3, 4, 5, 6}. Next, 
construct a mapping T: F xF ~> F as follows: given any ordered pair (x, y) ^ F x F, where x g 
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and V € /•', let the image of (x, yj under f be the integer that is the result of calculating the 

expression (x + y) mod 7. In other words, let T( (x^ y) ) ^ (x + y) mod 7. It is relatively 
straightforward to verify that the range of T is in fact the set F. For example, T( (4, 6) ) ^ (4 ^ 
6) mod 7 ^ 10 mod 7^3. Regardless of the value ofx+y, the integer which is the result of the 
expression fx y) mod 7 is the remainder of a division by 7 and therefore an integer between 0 
and 6, and a member of F. Hence, 7 is a binary set operation defined within F. 

For the sake of convenience, when working with a given binary operation T, the construct 
T{(x, y)) is often written as x The symbol is called the "binary operator" and is used to 
represent the binary operation T. For instance, given the above definition for Z instead of writing 
T((4^ 6)) = i, one writes 4 ■ 6 ^ (4 6) mod 7 = 3. Other symbols may also be used as binary 
operator symbols. Two other commonly used such symbols are + and ©. The two members of the 
set S that make up the ordered pair that a binary operation maps into another member of the set S 
are the "operands" in the operation, which, in turn, is said to "operate on" the operands. For 
example, in the equation, ^ • 6 = 3. the operands are 4 and 6. 

Groups 

A "group" is a set G together with a binary operation defined within the set G such 
that the following three conditions are satisfied: 

(i) Given y, z g G, then x • (y - z) ^ (x - y) z. This is known as the associative 
property of the group. 

(ii) There exists a unique element / e G, such that x - / = / • x = x, for all x g G. The 
element / is referred to as the "identity" element in G. 

(iii) Given any x e G, there exists an element x"' g G, such that x • x"' ^ L The 
element x"' is referred to as the "inverse" of x under the - operation. 
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The • operation is referred to as the "group operation." It is the existence of the group operation • 

defined within the set G that allows G to be a group. In fact, G is said to be group under the - 
operation. An "Abelian" group is a group G such that given any y ^ G, then x y - y - x. 

As an example of an Abelian group, consider the set F= {I, 2, 3, 4, 5, 6} together with 
the operation • given by or defined ^sx -y = (x -y) mod 7 for all elements x, y g F (the second " • " 
represents the common operation of integer multiplication.) It is known that F is a group under 
this "multiplication operation." To demonstrate this, Table 1, which contains the values of x -y = 
(x ^y) mod 7 for all possible combinations of elements x, y ^ is constructed below. To look up 
the value of x *>' using the table, locate the cell that is at the intersection of the row whose label is 
the value of x with the column whose label is the value o?y. 

Table 2, The Multiplication Operation in F = /7, 2, J, 4, 5, 6} 
Given by x • y =^ (x - y) mod 7 
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As an example, note that if x = i andj; = 6, the table gives x -y = 2.To verify the 
accuracy of this, note that x y =5 - 6 =^ (5 - 6) mod 7 ^ 30 mod 7 = 2, 

Given the above definitions for • and f , the task of verifying that F is a group is 
tantamount to verifying that conditions (i), (ii), and (iii) above are satisfied: 

(i) Condition (i) provides that x - (y - z) (x ■ y) ^ z. Using x=3, y=5 and z=2, 

consider that 3 - (5 - 2) ^ 3 ■ ((5 - 2) mod 7) - ■ 3 • (10 mod 7) = 3 - 3 (3 ^ 3) 
mod 7 ■ 9 mod 7 - 2; and that (3 • 5) ■ 2 - rr3 • 5) mod 7) • 2 = n5 mod 7) • 2 
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1 ■ 2 ^ (I ■ 2) mod 7 - 2 mod 7^-2. Therefore, (3 ■ 5) ■ 2 3 ■ (5 ■ 2). 

(ii) Table 1 demonstrates that the identity element of F under the group operation • is 
1 . For, as the table shows, x • 7 = / • x = / for all x e F. 

(iii) Using Table 1, the following values for the inverse, x'', of each element x of F 
(where x ■ x"' = /) can be derived: F' = /, 2'' = 4, 3'' = 5. = 3, 5'' = 3. and 
6-' = /. 

(iv) Examining Table 1 also establishes that iox 2\\x. y e F, x y = y x Hence. F is an 
Abelian group under the muhiplicalion operation. 

Sometimes, the symbol + is used to denote the group operation in F. In such cases, the 
inverse of any element x e F under + is denoted by -x rather than x"'. As another example of an 
Abelian group, consider the set F= {0, 1, 2, 3, 4, 5, 6} together with the operation + given by or 
defined asx - y = (x ^ y) mod 7 for all elements x, y ^ F (the second "+" represents the common 
operation of integer addition.) It is known that F is a group under this "addition operation." To 
demonstrate this. Table 2, which contains the values of x y = {x y) mod 7 for all possible 
combinations of elements x, y g F, is constructed below. 

Table 2. The Addition Operation in F = {0, 1, 2, 3, 4, 5, 6} 
Given byx+y = (x-^y) mod 7 
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As an example, note that if x = 5 and y = 6, the table gives x + = ^. To verify the 
accuracy of this, note thatx 5-6 (5 -6) mod 7 1 1 mod 7 4. 
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Given the above definitions for + and the task of verifying that f is a group is 

tantamount to verifying that conditions (i), (ii), and (iii) above are satisfied. 

(i) As an example of condition (i) holding, consider that (3 -h 5) -h 2 ^ ((3 - 5) mod 7) 
^2 ^ (8 mod 7) -h2 = I -h2 ^ (I ^ 2) mod 7^3 mod 7 = 3; and that 3 -t (5 -h 2) 
= 3 -h((5 2) mod 7) ^ 3 -h(7 mod 7) ^ 3 -h 0 = (3 0) mod 7^3 mod 7^3. 
Therefore, (3 -f- 5) -h 2 = 3 (5 -h 2J, 

(ii) Table 2 demonstrates that the identity element of F under the group operation -r is 
0. For, as the table shows, x + 0 - 0 - 0 for all x e F. 

(iii) Using Table 2, the following values for the inverse, -x, of each element x of F 
(where x (-x) = 0) can be derived: -0 ^ 0, -J = 6, ~2 = 5, -3 ^ 4, -4 ^ 3, -5 = 
2, and -6 = J. 

(iv) Examining Table 2 also establishes that for all x, >^ ^ F, x + = x. Hence, F is 
an Abelian group under the addition operation. 



Fields 

A "field" is a set F together with two binary set operations + and • defined within F such 
that the following conditions are met: 

(i) F is an Abelian group under the + operation. The + operation is referred to as the 
"addition operation" of the field. The identity element of the field under the 
addition operation is denoted as 0. Given any element x e F the inverse of x under 
the addition operation of the field is denoted by -x, which is referred to as the 
"additive inverse" of x. 

(ii) If 0 were to be removed from the set F, the resulting set would be an Abelian 
group under the ■ operation. The operation is referred to as the "multiplication 
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operation" of the field. The identity element of the field under the mukiplication 

operation is denoted as 1, which is an element of F distinct from 0. Given any 
element x g F, the inverse of x under the multiplication operation of the field is 
denoted by x"^ which is referred to as the "multiplicative inverse" of x. 

(iii) Given any x g then x ■ 0 0 - x 0. 

(iv) Given any x, z g F, then x • (y z) = (x - y) (x - z). This is known as the 
"distributive property" of the field. 

An example of a field is the set F = {0, 1, 2, 3, 4, 5, 6} together with the + operation 
defined asx y =^ (x + yj mod 7 and the • operation defined disx y = (x y) mod 7 for all x, y g 
F. It is known that F forms a field under these addition and multiplication operations. To 
demonstrate this fact, it is necessary to show that the four conditions described above are 
satisfied. Conditions (i) and (ii) where shown to be satisfied in the previous Section. Condition 
(iii) is evident firom the Table 3, below. 

Table 3. The Multiplication Operation in F = /», J, 2, i, 4, 5, 6} 
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As an example of condition (iv) holding, we will show that 3 (5 6) ^ (3 ^ 5) ^ (3 - 6). 
Indeed, 3 • (5 ^ 6) = (3 - ((5 - 6) mod 7)) mod 7 = (3 ■ (11 mod 7)) mod 7 - (3 ^ 4) mod 7 ^ 12 
mod 7 = 5. while, (3 - 5) ^ (3 - 6) ^ (((3 - 5) mod 7) - ((3 ■ 6) mod 7)) mod 7 ^ ((15 mod 7) ~ 
(18 mod 7)) mod 7 = (1 ^ 4 ) mod 7^5 mod 7^ 5, too. 

A field F is a "finite field" if it has a finite number of elements. The field F above is a 
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specific example of a family of finite fields known as CjF(p), where/? is any prime number. Given 

a particular prime number p. GF(p) is defined as the set {0,1 p-1} of non-negative integers 

less than /?, together with the addition operation + given by integer addition modp, and the 
multiplication operation • given by integer multiplication mod p. The field Fused in the above 
5 example is the field GF(7). 

Field Arithmetic 

The mathematical concept of fields is an abstraction of the familiar "rational" number 
system. The rationals are the set of all integers together with all numbers that can be represented 
=3o as a fraction whose nominator and denominator are both non-zero integers. The set of all rational 
^ numbers can in fact be shown to be a field under the common operations of addition and 

multiplication of fi-actions. As such, common mathematical techniques of arithmetic have also 
r been carried over to the more abstract domain of fields. Given a particular field F, mathematical 
;9 field theory allows the writing and evaluation of "valid" arithmetic expressions and equations 

ry 

whose constants and variables "come from the field, " i.e. are members of F. 

For instance, consider the equation >- = (2 - x) L The set of all ordered pairs (x, y) of 
rational numbers that satisfy this equation includes such elements as (0, 1), (2, 5), (4, 9), and 
(3.45, 7.9). However, since the constants in this equation, 2 and /, are also members of the field 
GF(7), the "expression" f2 • + / is a valid expression in GF(7), meaning that as long as the 
2 0 value that is substituted for x in the expression is a member of GF(7), it is guaranteed that the 
expression will "evaluate" to a valid member ofGF(7). As such, the equation itself is a valid 
equation in GF(7), too. In fact, the set of all "solutions" to this equation, i.e. the set of all ordered 
pairs that satisfy the equation in GF(7), is equal to {(0, J), (J. 3). (2, 5), (3. 0). (4, 2), (5. 4)^ (6. 
6)}- 
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To facilitate working with more complicated expressions, a few mathematical shorthands 

are utilized in field arithmetic. Given any field F, any element x ^ F. and any positive integer K 
the expression x' represents that unique element of F which results when x is multiplied by itself/: 
times using the multiplication operation in F. In other words x" = x ■ x ■ ... x. where there are k-1 
5 many ■ operators in the expression. By convention, x° is defined to be equal to 1 

Given any integer k and any element x in F, the expression kx represents that unique 
element of F which results when x is added to itself k many times using the addition operation in 
F. In other words, Ax = x-t-x-^ ... -^x, where there are k-1 many + operators in the expression. 
Given c a constant in F and x a variable defined over F, the expression c • x is commonly 
•;i 0 written as ex. Furthermore, given x and y, any two elements of F, the expression x - (-y) is 
bJ commonly written as x - 

rLI Given a field F and any element x in 7% the task of computing x's additive inverse, -x, or 

x's multiplicative inverse, x'', may be computationally intense. It is possible to view the task of 
% computing the inverse of x as a set operation. A "unary set operation" T defined within a set 5 is a 
5 mapping from S onto S. The word unary underscores the fact that unlike binary set operations, 
the domain of T is made up of single, individual members of 5. Given any element x of 5, let T 
map X to x"'. In other words, let T(x) = x''. Then 7" is a unary set operation. 

Given a particular field F and an integer k, a polynomial p(x) of order k defined over F is 
an expression of the form p(x) = a,x* - a.-.x"'' + - a,x + ao. In this definition, x is a variable in 
20 F, meaning that before the expression is evaluated, some particular element of F must be 

substituted for x in the expression. The particular member of F which is substituted for x is the 
value that x is "bound" to. The a,'s (0 <i <k) are known as the "polynomial coefficients" ofp(x) 
and are constants in F, meaning that they are chosen before a value for x is selected, and that 
regardless of the value that x takes on. the values of the polynomial coefficients remain the same. 
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When h' - GF(2), the set of all polynomials of degree k defined over GF(2) is referred to 

as GF(2^). It is known that given any k greater than 1, specific addition and multiplication 
operations can be defined within GF(2') in such a way so that GF(2') forms a field under such 
operations. The set GF(2^) is the set of all polynomials of order k whose polynomial coefficients 
are either 0 or 1 . For instance, p(x) = x' - .r / is a member of GF(2') whose polynomial 
coefficients are given by Os - 7, = 0. as = 0, 02 =^ L Oj = 0, and ao =■ /- 



Optimizing Field Arithmetic Calculations 

In addition to the fields of information security and cryptography, there are numerous 

I. J 

•M) Other problems in business and science, which are either based on or utilize the mathematics of 

finite fields. Computer apphcations dealing with such problems often need to carry out 
n ! calculations involving finite field arithmetic. This often takes the form of evaluating a 
'f- mathematical expression/ involving a finite number of constants, variables, coefficients and 
L^S operations defined within a finite field F. Note that variables and constants must be members of 
;S5 the field F, but coefficients may take any integer value. Coefficients, such as the 5 in the 

expression x - 5 y, are not elements of the field F, and merely represent a shorthand notation for 
repeated addition, in this case 5 3/ = 2y^2y-^y. where 2 >' =^ y - y- Since computational 
efficiency is of concern, we will assume that if the same quantity occurs in more than one part of 
an expression, such as (xj -xj) does above, each such quantity is only computed once. Also, 
2 0 without loss of generality , the expression / can and will be assumed to be in fiiUy reduced form, m 
which all calculations in the expression that involve only constants have already been performed, 
and the resulting constants substituted into the expression. 

As an example of such an expression, let F g GF(p). let , xj, yi , >i be variables defined 
in F, let a be a constant that is some element from F. and define. 
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/= ((y2 -yO ' {X2 J '((y2 -a) ■ (x, -xO'' ) -x/ -ix. 

Since the only variables and constants in the expression / are xi , x^, yi , y^ and a, the expression/ 
involves a finite number of field elements. Furthermore, the expression /involves four unary 
additive inversion operations to calculate -x, . -x^, -yi , and -a, a single unary multiplicative 
inversion operation to calculate (xj -Xi) '\ three binary multiphcation operations, three binary 
addition operations to calculate 5 x_7, four binary addition operations to calculate the expressions 
in parentheses, and two binary addition operations to calculate (...) -xj - 5 x? . Hence, the 
expression /involves a finite number of field operations, too. Consequently, when the expression/ 
is evaluated, that is, when the calculations specified in the expression /are carried out, the result 
of the calculation is going to be a single element in the field F. 

Any given expression / defined within a finite field F is usually composed of 
"subexpressions." Any part of the expression / which by itself is a valid expression in F is a 
subexpression of/ For instance, the expression 5 = (x2 -Xi) is a valid expression in F, if both X2 
and X/ are members of F. Therefore s = (x2 -Xj) is a subexpression of the expression/ = ( (yi - 
y^j . -Xj)~^ ) ' ( (y2 -yO • {^2 -xj) "0 -^2 Some of the other subexpressions of /are 5 = 
xj ,s -yi, and s = (y2 -yO - -xj Note, however, that and s = x^ -xi) ) -Xj is not a 
subexpression of /, because s is not a valid expression in F. Every expression/is a subexpression 
of itself 

Given an expression / defined within a finite field F, the task of evaluating the expression f 
can be computationally intense. Techniques that allow efficient calculation of such expressions in 
computer software and/or hardware may have significant business and scientific value. Given the 
exact nature of the applications such calculations occur in, different criteria may be used to 
determine what exactly constitutes an "efficient" calculation. In certain applications, it may be 
desirable to optimize calculations so that higher computation speeds are achieved. In other 
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applications, it may be important to optimize for minimal use of silicon area in hardware 

implementations. Still other applications may benefit from optimization that allow parallel 
computation of the calculations. In particular, the inversion operation, which in the fields GF(p) 
and GF(2^) uses the Fermat method, is computationally very intensive. To avoid this, methods of 
formulating problems in "projective coordinates" have been developed, by Menezes and others, 
which allow calculations to be reformulated in a manner that removes the need to perform any 
inversion operations, usually at the expense of increasing the number of other operations. 



The Montgomery Algorithm 

In 1985, P. L. Montgomery published an algorithm which can be used to optimize the task 
of computing an expression of the form / - a ■ Z> • r where a, A, and r are elements of a field F 
€ GF(p) and • is the multiplication operation in F. Since 1985, some work in industry and 
academia has been focused on extending the use of the Montgomery algorithm to expressions of a 
more general form than/= a - Z> * r "^ To facilitate discussion of such efforts, this patent defines 
the term "Montgomery Canonical Form." Given a particular element r of a field F, an expression/ 
in F is recursively defined to be in the Montgomery Canonical Form with respect to r as such, 

(i) An expression /is in the Montgomery Canonical Form with respect to r, if it does not 
contain any field multiplication operations and also does not contain r. That is, if no 
subexpression s exists of the form 5 = 5/- ^2, where 5/ and S2 are subexpressions of/ For 
example, the expression/ - (xi - xj ~ a) and the expression/ = are both in the 
Montgomery Canonical Form with respect to r. 

(ii) An expression/ is in the Montgomery Canonical Form with respect to r, if it can be 
written in the form of/ / •/ • where / and / are both subexpressions of/ which 
are themselves in the Montgomery Canonical Form with respect to r Note that to 
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determine whether or not an expression is in Montgomery Canonical Form with respect to 

r. the expression is to be considered in isolation. For example, the expression/ = (xj -r 

+ x,J ' X} ' r'^ is in the Montgomery Canonical Form with respect to r. However, / = x; 
• (X2 'X2) * is not in the Montgomery Canonical Form with respect to r, since although 
(X2 'X2) • is in the Montgomery Canonical Form with respect to r, the single factor of 
r'^ cannot simultaneously be considered to be part of the subexpression (x2 ■X2) • and 
also of the whole expression, so • X2 ) is not in the Montgomery Canonical Form with 
respect to r. 

(iii) An expression/ is in the Montgomery Canonical Form with respect to f\ if it can be 
written in the form of/ = (s) • r ' where 5 is a subexpression of/ which is itself in the 
Montgomery Canonical Form with respect to r For example, the expression/ = (x2 -xj) 

• is in the Montgomery Canonical Form with respect to r. And finally, 

(iv) The expression /is in the Montgomery Canonical Form with respect to r, if whenever 
there exists a subexpression 5 of/ which can be written as 5 = 5; • ^2. where Si and S2 are 
subexpressions of/ which are both in the Montgomery Canonical Form with respect to r, 
then there exists a unique subexpression of / such that 53 = 5/ • 52 • For example, the 
expression / ^ 

(((Xi -X/+x/;-xy -r'' + a) -z -r'') - (((xi - Xj^Xj)-Xi * r"' + a) -z -r') - -x/-xy 

is in the Montgomery Canonical Form with respect to r. 
Given a field F g GF(p) and an element r g F, the Montgomery algorithm can be applied 
effectively to optimize computation of any expression / in F which is in the Montgomery 
Canonical Form with respect to r. Given an arbitrary expression/ then, there may be efficiencies 
gained by "transforming'^ the expression /into some other expression/' (read as ^'f prime") which 
is in Montgomery Canonical Form. During the past decade .and a half, an innumerable number of 

17 
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expressions involving a finite number of operations within finite fields in GF(p) have been 

encountered within the confines of specific apphcations in business and academia. In some 
instances, researchers and engineers have transformed certain such expressions into other 
expressions which are in the Montgomery Canonical Form, and which are therefore faster to 
compute. Until the present invention, however, no general method for transforming any arbitrary 
expression involving a finite number of field operations in GF(p) into an expression that is in 
Montgomery Canonical Form with respect to some r in GF(p) has been known. 

A particular expression that is commonly encountered in business and academic 
applications involving fields in GF(p) is one of the form / = x^ where k is some positive integer 
and X is an element in F e GF(p). Calculating/ = is known as the exponentiation of x. It is well 
known that a particular ''substitution technique" described in the next section in this document can 
be applied to the expression / x^ to transform it into another expression,/' which is in 
Montgomery Canonical Form with respect to some particular element r in F. The Montgomery 
algorithm is commonly applied to the resulting expression/' to provide an efficient method for 
exponentiation of x. 

Although the Montgomery algorithm has been used for over a decade for fast 
exponentiation in GF(p), no method for extending its speed improvements to general finite field 
calculations has been available until the present invention. 

In 1998, C. K. Koc and T. Acar published an algorithm which can be used to optimize the 
task of computing an expression of the form a ■ b 'r~\ where a, 6, and r are elements of a 
field F G GF(2^) and • is the multiplication operation in F. This algorithm is referred to as the 
Montgomery' Algorithm in GF(2^), The Montgomery Algorithm in GF(2^) has been applied in the 
past to speed up exponentiation in GF(2^) in a manner analogous to the method used for speeding 
up exponentiation in GFfp). Until the present invention, however, no method for extending the 
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speed improvements of this algorithm to general finite field calculations has been available. 



Substitution Technique 

This section describes a particular substitution technique that is often used to manipulate 
5 expressions involving elements and operations defined within a field F. The technique involves 

replacing all instances of a specific pattern of operations and/or operands in/with another specific 
pattern. As an example, let x and y represent any member of F and let a, b, c, and r be specific 
elements in F, Then, if all occurrences of the pattern x y 'mf (a - b) ^ (c - b) are replaced by 
the pattern x - y • f\ the resulting expression /'is given by f - (a - b - rj ^ (c - b ^ r). To facilitate 

Q 

!jrt) discussion of the technique, let s be an expression that represents the pattern that is to be 

I \i replaced. The expression s is called the "source" expression. Let / be an expression that represents 

\n . 

ru the pattern that s is replaced with. The expression t is called the "target" expression. The rest of 

□ 

this section describes how the current substitution technique is applied to three simple types of 
1;^ source expressions. 

••--J 

Case 1 The source expression s involves no operators 

In this case, the source expression s is given by \ - x, where x stands for any single 
variable within the expression /. The substitution technique simply replaces all occurrences of the 
variable represented by the source expression 5 by the pattern given by the target expression /. 

20 

Case 2. The source expression involves a single unary operator 

In this case, the source expression is given either by 5 -x or ^ = x'^ where x stands for 
any subexpression of the expression /. Here, the substitution technique calls for constructing the 
set .V of all subexpressions of/ that "match" the source expression .s\ In other words, the set S is 
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given by the set of all subexpressions s of the expression/which are of the form s ^ x or s ^ x~\ 

where x is itself a subexpression of f. Note that given any two subexpressions of/ in the set 
one may be a subexpression of the other. The substitution technique works by replacing each 
member of the set S by the corresponding pattern given by the target expression /, except that 
before the substitution technique is applied to any member s of the set S, it is first applied to any 
other members of S that ^ is a subexpression of. 

Case 3. The source expression involves a single binary operator 

In this case, the source expression is given either by s = x y or s = x - y, where x and y 
stand for any subexpressions of the expression /. Here, the substitution technique calls for 
constructing the set S of all subexpressions of f that "match" the source expression s In other 
words, the set S is given by the set of all subexpressions s of the expression /which are of the 
form s=x-ry or s=X'y, where x and 3; are themselves subexpressions of/ Note that given any 
two subexpressions of/ in the set 5, one may be a subexpression of the other. The substitution 
technique works by replacing each member of the set S by the corresponding pattern given by the 
target expression /, except that before the substitution technique is applied to any member s of the 
set 5, it is first applied to any other members of S that ^ is a subexpression of. 

A substitution technique similar to this has been used in business and industry in the past in 
a two-step process to transform instances of simple expressions, of the form/ = , into another 
expression/' which is in Montgomery Canonical Form. To illustrate an example, this will be 
demonstrated for the case when /r - < which means that the expression/is given by/= = x • x 

• X ' X ^ ((X ' Xj ' X ) ' X. 

(i) Let the source expression s be given by s x ■ y. Let the target expression / be given by / 
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X -y ■ where r is a constant in the field F. Applying the substitution technique to the 

expression / = ({x - x) - x ) - x yields the expression/' ^- ((x • x - r'^) x -r'^) - x ■ r"^ 
Note that the expression /'is in the Montgomery Canonical Form, since every 
subexpression of/' enclosed in parenthesis is in the Montgomery Canonical Form with 
respect to r. Because of this, the following step can allow the Montgomery algorithm to 
be applied to efficiently calculate /*. 
(ii) Let the source expression s be given by s = x, where x stands for a variable or constant in 
/ Let the target expression / be given by / = r • /*. Applying the substitution technique to 
replace every occurrence of x with x • r in the expression// ^ ((x • x - r"0 x r~^) x - r"' 
yields the expression f - (((x - r) - (x • r) ^ r~^) (x ^ r) - r'') - (x ^ rj - r"'. . 
This substitution technique allows efficient computation of f - x^, because it can be shown that 
the expression /is equivalent to/ = /' - r"^ To see this in the case k - note that 
/'= (((x -r) (xr) -r-'; ^ (x - r) - r"'; - (x r) -r' 
rO ^ ((x r X r r'^) x /'"O x - r - 

15 ^ ((r x x r r'^) x r r'^) x - r - r'^ 

= {(r-x-x J) x l) x- I -^((r x x) x) x = r-(((x-x) -x) ■x)=r- x' 
Therefore,/' • /•"' = r • x' -r' ^ x' ■ r ■ r'' x' ■ I = x' = f. Since/' is in the Montgomery 
Canonical Form with respect to r, it is in general more efficient to compute/' • which itself is 
in the Montgomery Canonical Form, than it is to compute/ directly. 
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Elliptic Curve Groups 

An elliptic curve, G, is a mathematical group that is constructed over a specific field F, 
according to a specific set of rules that depend on the exact nature of F. In general, G is a subset 
of X /•, and the operation in (/is defined in terms of the field operations - and - on the 
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elements of F thai constitute the ordered-pair elements of G. The two most commonly studied 

classes of elliptic curves are those constructed over fields belonging to CjF(p) or GF(2^). 



Elliptic Curves over GF(p) 
5 An elHptic curve over GF(p) is defined by selected parameters a and b (both members of 

GF(p)) as the set of the all ordered pairs (x, y) that are solutions to the equation/ - + ax 
where x, y are members of GFfp) together with an extra point O, usually named as the point at 
infinity It is assumed that /? is a prime number greater than 3 and a, b in GF(p) are selected such 
that 4a' * 27b' ;^0 'm GF(p). It has been well established that points on the elliptic curve and O 
form an Abelian group with respect to the following point addition rules: 



; if Equations A 

m \ o^o^o 

■""if' 

2. (x, y) ^ 0 = (x, y) 

C3 ■ 

!;g 2. (X, y) ^ (x,-y) O 

i=j5 4. Addition of two distinct points: (xi.y,) - (X2,y2) (X3,y3) 

L = (y? -yO • (^2 ~xi)'^ 
Xs (L • L) ~X} ~X2 
ys^ L -(xi -Xs) -yi 
5. Doubling of a point: (x^yO ^ (xuyO = (xs^ys) 
2 0 L == (3xi -X} + a) ' (2yj)~^ 

x, = (L'L) ~(2xO 
ys^L '(xi -X3) -yi 

where the operations - . - • . and inverse ('') are performed in the field GF(py). The above 
rules define the method by which two points on the elliptic curve are "added" to get a third pomt. 
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These equations will be referred to in the future as Equation A. 



PCT/US98/25824 



Example 

The elliptic curve equation y- = -i >: ^ / over the field GF(23) will be illustrated. It 
turns out there are 28 points on the curve including the special point O These points are 
Point O 

(0.1) and (0,22) 
(IJ) and (1,16) 

(3.10) and (3,13) 
(4,0) 

(5.4) and (5.19) 
(6,4) and (6.19) 

(7.11) and (7,12) 
(9.7) and (9,16) 

(11.3) and (11,20) 

(12.4) and (12,19) 
(13.7) and (13,16) 
(17,3) and (17,20) 
(18,3) and (18,20) 

(19.5) and (19,18) 

For example, (1, 7) is on the elliptic curve because it satisfies the equation ^ = + x + 7 
in the field GF(23) (that is, modulo 23) because 7' = 1^ ^ 1 + 1 mod 23; 49 = 3 mod 23; and 3 = 
3 mod 23. 

The point addition of ^3, 10) and (9, 7) is computed using arithmetic modulo 23, or the field 
arithmetic of CjF(23) : 
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/. = (7-10) ■ (9-3)-' = (-3) ■ 6-' ^-(-3) -4=^ -12 ■■- 11 

x,^(ll .Il)-3-9^ 121 -12- 109 = 17 
ys = (11 ■ (3-17)) -10= -164 = 20 

Therefore, the addition of (3,10) and (9. 7) equals (17,20). This example illustrates that the 
5 addition of two points on the curve using the above rules gives a third point on the curve. 

Elliptic Curves over GF(2'') 

A non-supersingular elliptic curve over the field GF(2'') is defined by the parameters a and 
b in GF(2''). with 6 * 0, as the set of solutions (x, y) to the equation / xy = + ax^ + b 
together with the extra point O. This set of points form a group with respect to the addition rules: 
Equations B 

1. O O-O 

2. (x, y) - 0 = (x, y) 

3. (x, y) (x, x^y) = O 

4. Addition of two distinct points: (xi.yj - (X2,y2) = (X3,y3) 

(yi - y2) ■ (xi X2)~' 

x, = (L ■ L) - L ^ xi ^ X; ^ a 
y, = (L ■ (x, + xi)) - X3 t- J// 

5. Doubling of a point: (xi.yO + (x,.yi) = (X3.y3) 
X3 = X, Xi ^ b ■ (xT') ■ (xr'j 
yj=x, -Xi + (x, + y, ■ X,'') • Xj - Xj 

Point Multiplication 

An elliptic curve cryptographic operation, whether it is an encryption, a decryption, a 
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signature, or a key-pass operation, always involves the computation of eP given e and I\ where P 

is a point on the curve and e is a positive integer. The reverse of this operation, i.e., the 
computation of e given P and eP is known to be very diflficuh. This is called the elliptic curve 
discrete logarithm problem, for which no efficient algorithm is currently known. 

Since the addition operation in the elliptic curve group, G, is defined using a series of field 
operations from the underlying field, F, given two points P and O in G, computation P ^ O or 
P ^ P requires computation of a series of operations in the field. In particular, if F e GF(2^J, the 
equations 4 above show that computation of P ^ O requires one field inversion, three field 
multiplications, and nine field additions. On the other hand, the computation of F P requires 
one field inversion, three field multiplications and five field additions, as demonstrated by 
equations 5. 

If e is about 500 bits in length, the number of elliptic curve operations (additions and 
doublings) necessary to calculate eP can be shown to be about 750. Each elliptic curve operation 
involves several (about 15-20) finite field operations. If the value of k (from F g GF(2^)) is also 
high (>100), these computations consume a significant amount of time, particularly in sofliware. 
Therefore, fast hardware and software implementations of elliptic curve point multiplications are 
highly desirable in cryptography. 

The following example in GF(23) illustrates various approaches that can be taken towards 
optimizing the calculation of eP. Let e = 18 and P (3 JO), Then eP = 18(3 JO) can be calculated 
by successively adding (3 JO) to itself 1 8 times using group addition as defined in equation A: P 
^ P 4- ... - F (18 copies of P), which requires 17 elliptic curve point addition operations. 

However, there are faster algorithms known as "exponentiation methods," one example of 
which is a "binary method," shown below, which allows 18P to be computed as 
Step 1 : fP) (P) - 2P 
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Step 2. (2P) - (2P) = 4P 

Step 3: (4P) - (4P) = 8P 
Step 4: rS/'; - (8P) = 
Step 5; (16P) + r^P) =75/' 

Thus, only 5 point additions, or group operations, are utilized. The partial results as well 
as the final results are points on the curve as illustrated below: 

Step \.P ^ P=^2P (3, JO) - (3. 10) = (7, 12) 

Step 2:2P^2P = 4P (7. 12) - (7. 12) = (1 7. 3) 

Step3: 4P ^ 4P = 8P (17,3) - (17,3) =^ (13,16) 

Step 4: 8P-8P= 16P (13, 16) - (13. 16)= (5, 19) 

Step 5: 16P - 2P -18P (5.19) - (7,12) = (6,19) 

Thus, 18(3,10) is (6,19). The elliptic curve discrete logarithm problem then becomes, 
knowing (3,10) and (6,19) and that (6,19) is an integer multiple of (3,10), what is this integer? 
The integer used for this example is equal to 18. 

Given the binary representation of e as ek-iek.2...e2e,eo, the computation of can be 
accomplished using the binary method or any other M-ary method. For example, in order to 
compute O = eP, the binary method proceeds as follows. 

Q:-0 

for i = k - 1 downto 0 

Q:=Q + 0 

ife; = /thenO.^O + P 
return O. 

Therefore, the computation of O is performed by a series of elliptic curve point doublin 
(Q : Q Q) and point additions (O : - (J - P). 
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SUMMARY OF THE INVENTION 

The present invention optimizes the calculation of Elliptic Curve Cryptography 
computations through a transformation method that permits the use of any elliptic curve defined 
5 over any field F in a secure and efficient manner. The invention includes a method and apparatus 
for producing an elliptic curve point multiplication product, O - eP. The invention utilizes an 
arbitrary integer e, and a point P on an elliptic curve group G defined over a field F, where the 
group G is a subset of the field F crossed with the field F. The present invention constructs a set 
G', a mapping 7 from G into the set G' a mapping 7^' from G'onto G, and an operation 0 

il defined on G\ such that (a) given the point P. ( T(P) ) = P, and (b) P^P - r^(P'® P% where 

"'•4 

Y\ P' - T(P). An elliptic curve point multiplication product O is produced by transforming the point 

i 

i^y P to the point P' using the mapping T, performing the operation © on the point P' to determine 

i;3 

the point 0'=^ e P\ and transforming the point O' to the product O using the mapping The 
product O is used in an elliptic curve cryptographic operation. 



?\ ! 

^■;^5 The present invention also includes a method for optimizing the calculation of 



cryptographic operations involving arbitrary expressions in finite field arithmetic through a 
transformation method that permits the use of any field F in an efficient manner. The invention 
includes a method for transforming any arbitrary finite calculation in any finite field into a 
canonical form in which other previously known algorithms can be applied, thereby achieving 
2 0 increased calculation speed and efficiency. The present invention teaches a set of transformations 
of the cryptographic calculations that allows the use of other known techniques that have only 
been applicable to certain limited special cases prior to this invention. 
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DETAILED DESCRIPTION OF THE INVENTION 

The present invention provides a method for optimizing ECC computations for any curve 
in any field through focusing on one of the most computationally intense operations used in all 
ECC implementations, known as "elliptic curve point multiplication." Point multiplication requires 
the compulation ofeP, where is a point in the elliptic curve and e is a positive integer. This 
operation is central to many elliptic curve cryptography functions, including encryption, 
decryption, random number generation, key-exchange, digital signing, and signature verification. 
The present invention achieves efficient ECC by providing a methodology for optimizing the 
implementation of the elliptic curve point multiplication operation. The present invention can be 
utilized to implement ECC over any curve in any field, including all individual member fields in 
GF(p) and GF(2'). 

The present invention further provides a methodology for optimizing computation of 
calculations involving a finite number of arbitrary field operations within any finite field. These 
calculations play a key role in computer implementations of numerous systems, including elliptic 
curve cryptosystems. 

The present invention provides a "transformation method" which can be used to enable 
optimized implementations of elliptic curve cryptographic systems in hardware and software. 
The present invention, because it employs a reversible transformation applied to the 
) elements of the elliptic group, does not in any way alter the fiandamental security properties of the 
mathematical algorithm used to perform the elliptic curve cryptography. The security of the 
overall ECC algorithm is determined by the choice of elliptic curve equations, number 
representation, arithmetic algorithms and other implementation aspects. As long as these choices 
are made according to reliable standards, the security of the implementation is not affected by use 
5 of the present invention. 

28 



wo 99/30458 PCT/US98/25824 

The present invention can be used in any and all potential ECC applications, ranging from 

software for secure distribution of digital products such as movies and songs to hardware chips 
embedded in consumer electronic products such as cellular phones and smart cards. The cost- 
saving potential of the present invention can significantly enhance existing commercial 
applications and make previously infeasible business opportunities economically viable. 



Section A 

Given G crF x F, an elliptic curve defined over the field F, the present invention provides 
an improved method to optimize the computation of eP, where e is an integer and P is an element 

ofG. 

The present invention includes; 

(1) construction of a set G'and a method for representation of the members of G' in 

software and/or hardware; 

(2) construction of and implementing an algorithm for a first mapping, 7, fi-om G into the 

set G ' in software and/or hardware, 

(3) construction of and implementing an algorithm for a second mapping, T\ which acts 
as the inverse of T, from G'onto G, in software and/or hardware, and 

(4) construction of and implementing an algorithm, in software and/or hardware, for a set 
operation ® , defined in G' For each invention, the following three conditions are satisfied: 

(i) given any P ^ G, then 7"V T(P) ) = P, 

(ii) given any two points P and S in G, then P S (P' ® S% where P'- T(P) and S' 
- T(S) \ and 

(iii) G 7; ®, and and the corresponding algorithms are chosen such that given f P2. 
.... Ps ^ Cj, where N is an mteger, computation of T^V T(PO © ® --• © T(Ps)) is m 
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general more optimized than computation of Pi - Po • - ^.v 

In other words, the present invention computes O = eP by first transforming the given 
point P to a transformed point Pausing the algorithm for the first mapping F, then calculating the 
multiple sum O'^ eP' using a "transformed," more computationally optimized version of the 
elliptic curve addition operation ( ® ) in the transformed domain, and finally transforming O'back 
to O using the algorithm for the second mapping, T'. Note that satisfaction of the conditions (i) 
and (ii) above ensures that this method can be applied to any point P belonging to G. 

Under certain circumstances, when Z and @ are chosen carefiilly, it is possible to 
optimize computation of the point multiplication operation. Depending on the number of point 
additions to be performed, the additional cost of transforming the elements of G may or may not 
outweigh the improvements due to more optimized calculations in the transformed domain G' 

Section B 

The present invention fiarther provides a particular method for construction of G' Z and 
P"' that can be applied to any elliptic curve group G. 

Since G is a subset ofF xF, points in G can be written as ordered pairs (x, y), where x 
and y are elements of the field F. The present invention provides that a particular member r of P is 
first selected. The element r may be selected to be any member of the field Let / be the 
mapping from G into P xP that maps any point P - (x, y) in G to some point P'^ (x\yy\nG\ 
The present invention provides that t(P) = t((x^ y)) = (x - y - r) ^ Pr Since 3/. and r are all 
members of P, so are x r and y • r. The present invention provides that G 'is the image of G 
under i. In other words, G'is the set of all elements of F x p that have a point in G mapped to 
them by /. The present invention fiarther provides that Pis the transformation from G onto G'such 
that given any point P in G, then T(P) = 1(P) - P' While P^ - (x\ y') is necessarily a member P x 
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it is not necessarily a point in the elliptic curve group, G. P'can be obtained by computing - 

X • r andj^' = y • r. 

Let be any element ofC Since G'c: F xF, we can write fi^', v% where w'and 
are members of F. Since G'is the image of G under then there must exist u and v, two elements 
of F\ such that (u, v) g G and u' = u r and v' - v • r. Since w. v, and r are all members of the 
field F, then w u' r'^ and v = v' • r~\ where r"' is the inverse of r under the multiplicative 
operation of F. Therefore, one can construct an inverse transformation 7~'; G ' G by letting 7"' 
mapa'= (y: v% any element of G to (u'-r'^. v'-r'O- 

In formal terms, this more detailed embodiment of the present invention includes the steps 

of 

(1) constructing G'as the subset of F xF which is the image of G under the mapping /; G 
^ F X F, where / is constructed by first selecting any element r of F, and then letting t( (x, y) ) ^ 
(x • r, y ■ r), where ■ is the multiplicative operation in F; 

(2) constructing the first mapping T: G ^ G' by letting T(P) t(P). where P is any point 
in G; and 

(3) constructing the second mapping 7^'; G ' G by letting ( (u', v") ) = 
(ii ' • r"^ V ' - r"0. where (u', v') is any element of G ' 

Given the above choices for G' and T\ it may be possible to optimize calculation of 
eP may through careflil definition of a © operation in G'and careful selection of r. Certain values 
of r, for instance, may provide faster software implementations, while others may enable more 
algorithmic parallelism. 

Section C 

Another detailed embodiment of the present invention applies the methods of Sections A 
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and B to the elliptic curves defined over the specific fields belonging to GF(p). In this 

embodiment, a new transformed operation © is constructed such that conditions (i), (ii), and (iii) 

in Section A are satisfied . 

The present invention includes a method for optimizing calculations of when F is an 
individual member field ofGF(p). In this embodiment, G is an elliptic curve group over F g 
GFfpJ, and G', T,T^ are constructed in accordance with the method of the invention described in 
Section B, above, through choosing an arbitrary element r of F. The present invention constructs 
a "transformed" operation © in G' as follows. Given any two elements of G' (xi \ yi") and (X2\ 
y20. then the present invention defines (xi \yiO ® fc' y20 to be given by fxi^ ysO. where 



"r^f) E quations A' 



m 



P 

ru 

■■,3 



J Z'- (X2'-X,')~' 

T 

'J L'-^ (y2'-yi') -^'-r-' 

3 

X3' ^ L' ■ L' ■ r' -X,'-X2' 
yi'= L' ■(x,'-Xi') -r' -y,' 
iii 5 Using the above definition of ® for the operation of the "addition" of elements of G the 

present invention derives the following set of field equations for the operation of adding any 
"point" (x, '.yi 9 in G'to itself 

(x/ '.y,) ® (x,',yi9 = (^2 '•yi')^ where 
z'=(y,'+ yiT' 

20 I'= ((x,'+x/+x,')-x,'-r-' - a') ■ z' ■ r' 

xs'= L' L' r' -X,' -x,' 
ys'- L' ■(xi'-xsO f-' -y,' 

It is now shown how the present invention ensures that G' T, 7~'. and © together satisfy 
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conditions (i), (ii), and (iii) set forth in Section A. 

(i) Let P be any point in the elliptic curve group G. Then there exist some elements x and y of 
F such that P - (x^ y). Then rV T(P) ) - T( (x. y) ) ) = ( (x ^ r, y • r) ) - (x ■ r • 
r~\ y - r - r'^) = (x, y) = P. Therefore, Condition (i) in Section A is satisfied. 

(ii) Given any two points P and S in G, then we need to show that P ^ S ^ T^(P' ® S% 
where = W) and S' = T(S). Let P - (xj. yO. P' - yiO. S = y^)^ S' = (x2\ y2% 

P ' S - fc. ys) mdO'= P'- S'- (X3\y3% Then, applying the rules for point 
addition in the elliptic curve group given by Equations A, the coordinates of O are given 
hyx.-LL'Xi -"X2 andy5 = L • (xj ~ X3) ~-yi, where L - (ys-yO ' and z - fc-xy;"^ 
JO Equations A' above, on the other hand, give the coordinates for As such, it can be 

, J shown that, 

;y z' - (x/-x/r' v 

^ = (X2 r-xj -r)-^ V 

^ - (x2--xiJ~^ -r 

;g.5 = z • r 

.3 L' = (y2'-~y/)'^''^'' 

□ ^ (y2 -r-yi -r) '(z - r) -r' 

20 = L • r 

= (L -r) ■ (L ' r) ' r"^ -Xj r - x^ - r 
^ (L 'L 'X1-X2) -r 
25 = r 

y/- L' '(xr-xs) ' -y/ 

= (L -r) (x, r-xs -r) -r' -yrr 
= (L '(xi-X3)-yi) r 
3 0 y3 -r 

Therefore, (x^^y^") - (x^ - 3/3 • r). which imphes that P' r(P ^ S). as required. 

Hence, Condition (ii) in Section A is satisfied. 

(iii) The present invention has provided a method for the selection of /; ©, and and 
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their corresponding algorithms in a manner such that given P,. P2. . Ps ^ where is 

an integer, computation of 7"V ® 7rP2) ® - © rrP^;; is in general more 

optimized than computation ofPj ^ P2 ^ /^a' To verify this, note that calculation of 
jfpj 0 Y(P2) @ ... © r^P:v>^ involves repeated application of the expressions in 
E quations A\ Note, however, that these expressions are in the Montgomery Canonical 
Form with respect to r. As such, the Montgomery Algorithm in GF(p) can be readily 
applied to the calculation of T(PO @ T(P2) © ... © T(P^.) to create an optimized 
hardware and/or software implementation. Therefore, Condition (ii) in Section A is 
satisfied. 



Section D 

Another detailed embodiment of the present invention applies the methods of Sections A 
and B to the elliptic curves defined over the specific fields belonging to GF(2^). In this 
embodiment, a new transformed operation ® is constructed such that conditions (i), (ii), and (iii) 
in Section A are satisfied. 

The present invention further includes a method for optimizing calculations of when F 
is an individual member field ofGF(2'). In this embodiment, G is an elliptic curve group over F e 
GF(2^), and Z 3^' are constructed in accordance with the method of the invention described 
in Section B, above, through choosing an arbitrary element r of F. The present invention 
constructs a "transformed" operation 0 in as follows. Given any two elements of G: say (xj \ 
y, 0 and (x2\ y2% then the present invention defines (xi ^yij ® (x2\ y?") to be given by (xs\ ysO. 
where 

Equations B' 
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ys'- (L'-(xr-^r X3O -r'' ) ^ Xs'^ yj' 

Using the above definition of © for the operation of the addition of points in G \ the 
present invention derives the following set of field equations for the operation of "doubling a 
point", i.e. adding a point (xi ^ 9 in G'to itself: 

(xi \yn®(xi\yiO- (X3\ ysO. where 

z'-(xrr^ -r' 

y/^xj^-xj'-r'^ - (x/^ yi'-z'-r'^) -x/-/-"' - xs' 

It is now shown how the present invention ensures that T, T\ and © together satisfy 
conditions (i), (ii), and (iii) set forth in Section A. 

(i) Let P be any point in the elliptic cun/e group G. Then there exist some elements x and ^ of 
FsuchthatP - (x,y). Then r'(T(P)) - T( (x, y) ) ) - ( (x -r^yr)) - (x - r ^ 
r~\ y - r - r'^) = (x, y) = P. Therefore, Condition (i) in Section A is satisfied. 

(ii) Given any two points P and S in G, then we need to show that P S = (P' ® SO. 
vvhere P'- T(P) and S' - T(S). Let P =^ (x^^ yd. P' = (xi ^yiO.S- y2). S' = (xo'. yiO^ 
0 ^ P ^ S =^ {x3, yz) ^ndO'- P'-^ S'^ (x,'. ysO- Then, applying the rules for point 
addition in the elliptic curve group given by Equations A, the coordinates of O are given 
hy X3 = L 'L ^ L ^ X} ^ X2 - a?inAy3^ L ' (xi x,) X3 ^ yi. where L = (yi y^) • z, 
and z = (xi - xt)'^ Equations A' above, on the other hand, give the coordinates for O'. As 
such, it can be shown that. 
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~ z • r 

^ (yi 'f^ ^ y2 - r) '(z -r) - r ^ 

- (yi y2) - z - r 

L r 

xs'=- L' 'L' -f'-^ - L'-'r x/- x./^ a' 

--^,(L -r) '(L -r) -r'^ L ■ r ^ Xf r ^ X2 - r ~ a' - r 
^ (L ' L L ^ Xi + X2 - a') ' r 
^ X3 r 

y/-L''(xr^xsO r-' ^x/^yi' 

^ (L ' r) • (xi r ^ X3 r) r ^ X3 ' r ^ yi ' r 
= (L ■ (xi -r xs) yi) -r 

Therefore, we have (xs'^ysO = (xs -r^ys- r) which implies that 0 5'= T(P ^ S). as 
required. Hence, Condition (ii) in Section A is satisfied, 
(iii) The present invention has provided a method for the selection of T, ®, and and 

their corresponding algorithms in a manner such that given Pu P2. . Pn ^ G, where is 
an integer, computation of rV T^r/"/; ® T(P2) ® ® rr^Ai^j is in general more 
optimized than computation of ^ P2 P\' To verify this, note that calculation of 
f^pj @ f^p^ ® . . © rfPv>> involves repeated application of the expressions in 
E quations B\ Note, however, that these expressions are in the Montgomery Canonical 
Form with respect to r. As such, the Montgomery Algorithm in GF(fj can be readily 
applied to the calculation of rrP/; ® T(P^ ® ... ® r^PM^ to create an optimized 
hardware and/or software implementation. Therefore, Condition (ii) in Section A is 
satisfied. 



Section E 

The present invention fijrther provides a method for achieving higher efficiencies when 
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utilizing the methods of Sections C and D above by providing specific choices of r. 

The present invention works with any element r in the field F over which the elliptic curve 
group G is defined. The exact choice of the element r, however, affects the computational 
characteristics of the resulting calculations. The present invention teaches that the selection of r 
5 can optimize specific aspects of a software and/or hardware implementation within specific 

computer environments. For instance, choosing r to be a multiple of 32 can have beneficial effects 
on 32-bit computers. Given a particular selection of r, the calculation ofa b r'' may be done in 
more than one way, some of which may be more computationally efficient. The following 
selections of r are preferred: 

.50 1 Field GF(p): r is selected as the smallest power of 2 that is larger than/?. 

''■■A 

=^ 2. Field GF(p) \ r can be selected as the product of k prime numbers, which gives the 

resulting algorithm a high degree of parallelism. 

3. Field GF(2^) \ r is selected as mod n(x), where n(x) is the irreducible polynomial 

-J 

3 generating the field GF(2 ). 

y 

J5 Other selections of r for different fields are also possible. The transformation algorithms 

■3 

work independently of this selection. 



Section F 

The present invention fijrther provides a method for optimizing calculation of a finite 
2 0 number of arbitrary field operations over any finite field. Let/ be a valid expression defined within 
F involving a finite number of variables, and a finite number of the field operations ^ . • . - and 
The present invention provides a method for optimizing computation of/ which includes 
carrying out the following steps in sequence: 

(1) Select r to be any single element of the field The element }\ a constant, will be used to 
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transform the expression /into a new expression /'through applying a series of 

substitutions in accordance with the substitution technique described earlier in this 
document. If the expression / already contains a constant or variable denoted by the 
symbol r\ then rename the symbol r in this step-by-step procedure to some unique value, 
and interpret the subsequent steps of this procedure as if r were renamed appropriately in 
them. Note that the expression / may coincidentally contain constants or variables that 
may have the same field value as the selected element r, without affecting this procedure. 
Subsequent steps of this procedure will rely on the expression/ being initially free of 
"primed" symbols such as ory ' If the expression /initially contains any variables or 
constants which are denoted by "primed" symbols, then replace each primed variable or 
constant symbol with a unique unprimed name. Subsequent substitution steps of this 
procedure will employ source expressions containing primed symbols, which by 
convention in this patent are not allowed to match symbols that are not primed. Note that 
source expressions containing unprimed symbols, such as x, are allowed by convention in 
this patent to match variable symbols or constant symbols which may be either primed or 
unprimed. 

(2) Transform the expression /into the expression / by replacing all occurrences of the source 
expression x with the target expression x \ In this substitution, x denotes a variable or 
constant occurring in the expression / This replaces all variables and constants with 
primed symbols. Note that this occurs without affecting any coefficients that may exist in 
the expression / 

(3) Transform the expression // into the expression /? by replacing all occurrences of the 
source expression x y with the target expression x In this substitution, x and 3^ 
denote subexpressions of/, which should contain only primed symbols, and ® is used as 
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an alternate symbol to represent the multiplication operation in the field F. The purpose of 

this step IS to label as ® all of the original - operators occurring in the expression/ to 
distinguish them from the - operators that will be introduced into the transformed 
expression during the following steps of this method. 

(4) Transform the expression into the expression /j by replacing all occurrences of the 
source expression x'' with the target expression x"' • r In this substitution, x denotes a 
subexpression of - 

(5) Transform the expression into the expression by replacing all occurrences of the 
source expression x®y with the target expression x - y - r'^ In this substitution, x and 
denote subexpressions of/j. 

(6) Transform the expression into the expression /' by replacing all occurrences of the 
source expression x ' with the target expression x- In this substitution, x ' denotes a 
primed variable or primed constant occurring in the expression/j, specifically excluding all 
instances of the unprimed constant r. The effect of this step is to replace every primed 
symbol with its unprimed form multiplied by r. 

Upon completion of the above steps, the expression/is transformed into a new expression 
/' The present invention has carefully specified the preceding steps in such a way as to ensure that 
f^f.r'^ To prove this, the resuh is demonstrated for the four special cases when/ ^ x - y,f = 
X -yj ^ X y, and/ = x~^ where x and y are elements in the field F. The general result follows 
from the commutative, associative and distributive properties of the field. 



Case 1 Transformed Addition 

Let / - X - y. Applying the substitution method of the present invention to the expression 
/results in the transformed expression/' x r ■ y ■ r. To see that/ / - note that/ x .v 
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- (x ■ y) r (x - r ' y - r) -r'^ f ■ r 



PCT/US98/25824 



Case 2. Transformed Subtraction 

Let f=x -y. Applying the substitution method of the present invention to the expression/ 
results in the transformed expression - x - r -y • r. To see that/ • r"^ note that/ ^ x -y 
(x -y) - r ' = (x-r-yr) -r'' -r- , 

Case 3. Transformed Multiplication 

Let f =' X -y. Applying the substitution method of the present invention to the expression/ 
results in the transformed expression f = (x -r) -(y - r) • r"^ To see that/ =/' • r~\ note that/ - 
X ^y ^x y r r"^ -X y r r r'^ ^x r y r ' r"^ • r"' - (x - r) - (y - r) - r'^ • r'' =/' - 

^-^ 

Case 4. Transformed Inversion 

Lety ^ Applying the substitution method of the present invention to the expression/ 
results in the transformed expression f = (x - r) • r . To see that/ -/' • r'\ note that/ - x'^ ■ r 
.r-'^x-' -r-' .r .r-^ - (x ^ r)'^ • -r"' ^/'-r'^ 

Thus, the present invention provides a method to transform any expression/ involving a 
finite number of field operations within a finite field F into the form/' • /•"^ Furthermore, the 
expression/' • constructed by the present invention is guaranteed to be in the Montgomery 
Canonical Form. To verify this, note that (i) the substitution steps of the method of the present 
invention ensure that if the original expression /includes any subexpressions that are of the form x 
' \\ such subexpressions are transformed into the form fx - rj - fy • rj • r\ which is in the 
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Montgomery Canonical Form; and (ii) whenever the substitution steps of the method of the 

present invention introduce a new muhiplication operation into the transformed expression, such 
operation brings with it a single additional operand which is always a power of r, thus preserving 
the Montgomery Canonical Form of the subexpression it is introduced into. 
5 Depending on the exact nature of F, and the number of the multiplication operations in the 

expression/and the exact number and nature of the operations involved in the calculation of/', 
computation of the expression f - may be more efficient than direct computation of the 
expression/ This is particularly likely, when the field F is a member of either GF(p) or GF(2^). 
For, in such instances, the Montgomery Algorithm can be applied to the expression/' • r"' to 
[pp ensure optimized computation of the value that the expression/ evaluates to. 

LJ 

i y Section G 

1.3 

r The present invention may also be used with "projective coordinates " which are used to 

=J3 eliminate the need for performing inversion. 

=f 5 For example, in projective coordinates, a point on the elliptic curve group G has 3 

• ^ coordinate values: (xi, yj, ZjJ while the affine coordinates requires only two values: (xi, yi). 

For example, for elliptic curves defined over GF(2^), given the distinct points P and O 
expressed in projective coordinates: 
P :^ (xu yu zi) 
2 0 O :^ fc. yi. zz) 

the projective coordinates of the sum of 2 points on the elliptic curve are: 

P-^O-fxs. yj. zs) 
using the following addition rules: 

A ■ xj • zi - x/ 
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B = y2 - zt - yi 
C = A + B 

D = -(A ^ a z,) + zi B -C 
x, = A D 

ys = C 0 + A- (B -x, + A -y,) 

Z3=A^-Zi 

This computation requires 13 field multiplications, and no inversions. 
Similarly, the addition formulae for computing 2P is given as; 
A = X/ • z/ 

B = b z,^ -r x/ 
xs-^A B 

y, = x/ - A B ■ (x,^ + yi -Zj + A) 
Zi =A^ 

This computation requires 7 field multiplications, and no inversions. 

Thus, the use of projective coordinates eliminate the inversions at the expense of storing 3 
GF(2'') values to represent P and performing a few more multiplications. 

The present invention can also be used in conjunction with projective coordinates. The 
addition rules would then be modified as follows: 

A'^ Xi' z,' -r' ^ X,' 

B' = y2'z,'r-' +y/ 

C'=A'+ B' 

D'= (A' A'-r-') ■(A'+ a'-z,'-r-') ■ r' -r (zi'-B'-r'') C' r-' 
x/^ A'-D' r' 

y/ CD'/-' ■ (A' -A' ■>■'') -(B'-x, A'-yi'i-') • 
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Similarly the rules for computing 2P are modified as 

y/- (((x/'xr-r-'j -x/.r-'; 'x/-r-') -A'-r'^ ^ 
B''(x/ -Xi'-r-' + yi'-zi'-r' + A") -r'' 



IMPLEMENTA TION 

The present invention may be implemented on any conventional or general purpose PC 
computer system. It may also be used in conjunction with any netv^ork system, including the 
Internet. A preferred embodiment of a computer system for implementing this invention is an Intel 
Pentium II PC 233 MHz, running Windows NT 4.0. 

The present invention can be implemented in any programming language including C and 
Java. The following are examples of pseudo code suitable for implementing the present invention. 



Setup: a, b : Parameters of the elliptic curve (EC) 
F : The field upon which the EC is based 

Either GF(p) or GF(2^) 
* : field multiplication 
+ : field addition 
- : field subtraction 

: field inversion 
P=(P(x), P(y)) : A point on the EC 
P{x) Sc P{y) are affine coordinates 



Algorithm Identifier: ExpPoint 
Input: e : k-bit integer 

P : Point on the EC, P = (P(x), P(y)) 
Output: Q : Point on the EC, Q = (Q{x), Q(y)) 

Q := eP = (P+P+...+P) (e times P) 
function ExpPoint 
begin 

/* Transform P to P ' using r */ 
P' (x) = P (x) * r 
P • (y) - P (y) * r 

/* Start with O' point at infinity */ 
Q' = O' 
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/* Binary method loop */ 
for i=k- 1 down to 0 do 

Q' := DoublePoint (Q • ) 



.5? 



if e_i=l then Q' 

/* Transform < 

Q(x) = Q' (x) * r 

Q{y) = Q' (y) * r' 
return Q 
end 



: = AddPoint (Q ' 
using r */ 



P' ) 



Algorithm 
Input : P ' 
Q' 

Output: T» 



Identifier : AddPoint 

Transformed Point on the EC 
Transformed Point on the EC 
Transformed Point on the EC 
= P» + Q' using the EC point 



addition rules 



function AddPoint 
begin 
/* If the 

lambda ' 

T' (X) = 

T' (y) = 

return T 
/* If the underlying 



underlying field 
= Multiply ( (Q' (y) 
Multiply (lambda ' , 
Multiply ( lambda » , 



field 

lambda' = Mult iply ( ( P ' (y ) 
T' (x) = Multiply (lambda • , 



is GF(p) 
- P' (y) ) 
lambda ' ) 
(P' (x) - 

is GF(2^) 

+ Q' (y) ) 
lambda ' ) 



Inverse (Q ' (x) 
- P' (x) - Q» (x) 
T' (x) ) ) - P' (y) 



PMx) ) 



Inverse (P ' 



(x) 



Q' (x) ) ) 
+ lambda' + P' (x) + Q' (x) 



T' (y) = Multiply (lambda' , (P' (x) + T' (x) ) ) + T' (x) + P' (y) 



return T 
end 
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Algorithm Identifier: DoublePoint 



Input : 
Output 



PMx) ) + 

- 2P' (x) 
T' (x) ) ) - 



a- ) . 



P' : Transformed Point on the EC 
T' : Transformed Point on the EC 

rpi := p» + p using the EC point doubling rules 
function DoublePoint 
begin 

/* If the underlying field is GF (p) 

lambda' = Mult iply (Multiply ( 3P ' (x) 
Inverse (2P ' (y) ) ) 

T' (x) = Multiply (lambda ' , lambda') 
T' (y) = Multiply (lambda' , (P'(x) - 
return T . 
/* Else if the underlying field is GF(2^) 
= Multiply (P' (x) , P' (x) ) + 

Multiply (b' , Multiply ( Inverse (P ' 
= Multiply(P* (x) , P' (x) ) + 

Multiply (P* (x) + Multiply (P* (y) , 
T' (x) ) + T' (x) 

return T 
end 



P' (y) 



(x) 

(y) 



(X) , P' (x) ) ) ) 
Inverse (P ' (x) ) ) 



Algorithm Identifier: Inverse 
Input : u: Field element 
55 Output: t: Field element 
function Inverse 
begin _ 

t = u - * r^ 

return t 
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end 



Algorithm Identifier: Multiply 
Input : u, V: Field elements 
Output: t: Field element 
function Multiply 
begin 

t = u * V * r 

return t 
end 

A number of references describe the mathematical background for the present invention. 
Those references include: P. L. Montgomery, Modular multiplication without trial division, 
"Mathematics of Computation," 44(170):519-521, April 1985; D. E. Knuth, "The Art of 
Computer Programming: Seminumerical Algorithms," volume 2, Second edition, Reading, MA: 
Addison-Wesley, 1981; C. K. Koc and T. Acar, Montgomery multiplication in GF(2*'), 
"Proceedings of Third Annual Workshop on Selected Areas in Cryptography," pages 95-106, 
Queen's University, Kingston, Ontario, Canada, August 15-16, 1996; C. K. Koc and T. Acar., 
Fast software exponentiation in GF(2*'), "Proceedings, 13th Symposium on Computer 
Arithmetic," pages 225-231, Asilomar, California, July 6-9, 1997, Los Alamitos, CA: IEEE 
Computer Society Press; J. C. Bajard, L. S. Didier, and P. Komerup, An RNS Montgomery 
multiplication algorithm, "Proceedings, 13th Symposium on Computer Arithmetic," pages 
234-239, Asilomar, California, July 6-9, 1997, Los Alamitos, CA: IEEE Computer Society 
Press; D. Stinson. "Cryptography Theory and Practice," CRC Press, 1995, V. Miller, Uses of 
elliptic curves in cryptography, "Advances in Cryptology - CRYPTO 85, Proceedings," pages 
417-426, New York, NY: Springer-Verlag, 1985; N. Koblitz, Elliptic curve crypto systems, 
"Mathematics of Computation," 48:203-209, 1987, N. Koblitz, "A Course in Number Theory and 
Cryptography," New York, NY: Springer- Verlag, 1987; A. J. Menezes, "ElUptic Cuive Public 
Key Cryptosy stems," Boston, MA: Kluwer Academic Publishers, 1993; R.L. Rivest, A. Shamir, 
and L. Adleman. A Method for Obtaining Digital Signatures and Public-key Cryptosy stems," 
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Communications of the ACM, 2 1(2): 120- 126, 1978; T. Beth, M. Frisch, and GJ. Simmons, 

Public-key Cryptography: State of the Art and Future Directions. Springer- Verlag, NY, 1991; 
IEEE Working Group PI 363, Working Draft: IEEE 1363: Standard for RSA, Diffie-Hellman and 
Related Public-key Cryptography. In preparation, 1995; RSA Laboratories, Answers to 
Frequently Asked Questions about Today's Cryptography. Version 3.0, 1996; G.B. Agnew, R C. 
MuUin, I.M. Onyszchuk, and S.A. Vanstone, An implementation of a fast public-key 
cryptosystem. Journal of Cryptology, 3(2):63-79, 1991. All of these publications are herein 
incorporated by reference as if each individual publication were specifically and individually set 
forth herein. 

Having described and illustrated the principles of our invention with reference to a 
preferred embodiment, it will be apparent that the invention can be modified in arrangement and 
detail without departing from such principles. As such, it should be recognized that the detailed 
embodiment is illustrative only and should not be taken as limiting the scope of our invention. 
Rather, we claim as our invention all such embodiments as may fall within the scope and spirit of 
the following claims and equivalents thereto. 



